There are several laws in Switzerland regarding the processing and transfer of sensitive personal data. These include Article 13 of the Swiss Constitution and a Swiss law called the DPA, as well as European legislation, such as the GDPR.While we’re reluctant to make such sweeping statements, Swiss companies in general are more secure than their U.S.-based counterparts, thanks to Switzerland’s strict laws governing the processing of personal data.
In this article, we’ll go through all the data protection legislation that Swiss companies offer their users. Read on to find out why Switzerland has some of the best online privacy laws in the world .
Switzerland has long been hailed as a bastion of security. Data security is held sacred in Switzerland, and Swiss privacy laws are just plain better than anywhere else in the world. In fact, security-minded companies — like pCloud and ProtonVPN (read our ProtonVPN review ) — frequently make their homes in the Alpine country.
Swiss Privacy Laws: The TL;DR VersionThere are three major data protection laws governing the processing of personal data in Switzerland. The first is Article 13 of the Swiss Federal Constitution (no, not that Article 13). The second is the Federal Act of Data Protection (DPA). Lastly, Switzerland is a close partner of the European Union (despite not being part of it), thus Swiss companies must also adhere to the General Data Protection Regulation (GDPR).
We’ll look into each of these laws to see how they affect you, the user, when you’re dealing with a company based in Switzerland.
Article 13Let’s start with the law of laws itself — the Swiss Constitution. Switzerland is one of very few countries to have data processing regulations built into its constitution. Article 13 of the constitution provides several protections to Swiss citizens in regards to online communications, email and the processing of personal data. The article states, in part:
These constitutional provisions mean that all Swiss companies and service providers must expressly ask for permission to be able to process your data. There is a big if here, though. This only applies if you’re a Swiss citizen, as you otherwise won’t be covered by the Swiss Constitution. Fret not, however. Even if you’re not a Swiss citizen, the next two laws have you covered.
1. Every person has the right to privacy in their private and family life and in their home, and in relation to their mail and telecommunications.
2. Every person has the right to be protected against the misuse of their personal data.Tweet This
The Swiss Federal Act on Data Protection (DPA)
The DPA is a Swiss data protection law that reaches further than the territory of Switzerland. It sets out to shield the right to privacy of Swiss data subjects, but its scope is larger than the constitution. It provides protections from foreign companies misusing the personal data of Swiss citizens, but also prevents Swiss companies from mishandling their users’ personal information.
As this law is based on the constitutional provision for data protection, the DPA states that any data subject interacting with a Swiss company must give the company permission to process personal data that belongs to them. Because of the law’s extraterritorial reach, your data will be kept safe with any Swiss company, no matter where you’re from.
The DPA has recently been updated to more closely comply with the EU’s GDPR, adding a higher level of data protection based on European data protection principles. The changes have been approved by lawmakers, but the overhauled law will come into effect either later in 2021 or 2022.
The General Data Protection Regulation (GDPR)The GDPR is a European data protection law made to shield the data privacy rights of individuals residing within the EU from companies employing advanced data processing technologies. However, like the DPA, its reach projects well beyond Europe. Any controllers and processors of personal data that want to operate in the EU (and that includes providing services to EU citizens from abroad) must adhere to the GDPR. In effect, this means that most online businesses have to make some provisions to appease EU data protection laws, or lose access to the European market entirely.
The GDPR is meant to stop privacy breaches like Facebook’s Cambridge Analytica scandal. It forces companies to provide an adequate level of data protection for European data subjects. For one, under the GDPR, a user has to consent to the service storing their personal data, and the service is forced to delete all of their data if the user so wishes.
Even if a business follows an “opt-in” policy for handling personal data, information about a customer can’t be transferred to another entity without the customer’s permission. Plus, the business must notify all of its data subjects whenever it suffers a data breach.Companies must also employ a dedicated data supervisor called a Data Protection Officer (DPO), to make sure businesses have a body dedicated to data processing.
Transatlantic privacy is over
Failure to comply with any of these rules will result in a fine of either 20 million euros or 4 percent of the business’ annual global revenue, whichever is greater.